The researcher who wrote this article seems to have been able to get a lot of holes patched with credits, albeit, some of these CVEs seem years old.

I guess a company wanting as much time as possible to fix bugs is a part of the game though, are other companies really keen for you to announce found vulns ASAP? They don't control how fast people upgrade so announcing slower is always better for end users, and that must ultimately take priority over the need of researchers for publicity. Isn't this something that one has to accept when finding holes in a consumer OS as an external?

The Apple sandbox architecture seems well designed to me, usually at least. There seems to have been some breakdown in architecture or communication in this case. To the extent there are bypasses it's because we demand a lot of functionality from desktop operating systems, arguably they are the most sophisticated and complex kind of operating system out there - far more so than server platforms. Web browsers also have a lot of CVEs and it's for the same reason. We want security, but also functionality, and inevitably there's going to be a tension point in the middle where the two rub up against each other.

> You can't just add them later, on top of the legacy Mac OS and NeXTSTEP technologies.

Apple can (and has been) since it owns the whole stack, evidenced by the fact that they've been gradually hardening macOS software and hardware for two decades.

It's been gradual enough that most end users haven't noticed, but macOS developers are painfully aware of the security-related issues they have to reckon with in both major and minor updates to macOS. Example:

  https://eclecticlight.co/2024/08/27/launching-apps-in-sonoma-14-6-1-full-security/
  https://eclecticlight.co/2024/08/28/launching-apps-in-sonoma-14-6-1-reduced-security/
  https://eclecticlight.co/2024/08/29/launching-apps-in-sonoma-14-6-1-known-malware/
  https://eclecticlight.co/2024/09/03/launching-apps-in-sonoma-14-6-1-conclusions/

I think this legacy is a burden in all mainstream operating systems? There are capability-based system, but none of them have any traction.

I am not sure what the solution is. Trying to bolt on security still seems better than doing nothing at all, where an application vulnerability immediately means a compromise of the a full user account?

>> You can't just add them later, on top of the legacy Mac OS

SELinux managed it, what's fundamentally stopping MacOS?

That's because the reason for these limitations is to make it harder for the third-party developers to compete with Apple's products.

Responsible disclosure is immediate public disclosure with no embargoes. Embargoes are how we as users are absorbing the costs of poor security practices. If the culture was a no-warning publish culture, I would expect feature iteration and API breaks to slow down to more conservative levels as bikeshedding that stuff dwindles.

Punish fast software development iteration with public embarrassment and lost users who got hosed by the vulnerability. If Apple or whoever start dicking around and not paying bounties, release it... or better yet: sell it on the darknet; you have got to be paid for your good work, and NSA/NSO are going to need more 0-day vulnerabilities with WWIII underway!